Harald Welte has submitted this change and it was merged. (
https://gerrit.osmocom.org/10443 )
Change subject: sscp_scrc: Fix memleak of xua_msg when handing it to
scrc_rx_mtp_xfer_ind_xua
......................................................................
sscp_scrc: Fix memleak of xua_msg when handing it to scrc_rx_mtp_xfer_ind_xua
Fixes following error provided by LeakSanitizer:
Indirect leak of 1496 byte(s) in 11 object(s) allocated from:
#0 0x7f1eb3332d99 in __interceptor_malloc
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x7f1eae617b61 in _talloc_zero (/usr/lib/libtalloc.so.2+0x5b61)
#2 0x7f1eb063e365 in xua_msg_alloc
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/xua_msg.c:49
#3 0x7f1eb0650ee3 in osmo_sccp_to_xua
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/sccp2sua.c:1298
#4 0x7f1eb0668d6a in mtp_user_prim_cb
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/sccp_user.c:173
#5 0x7f1eb068ba86 in deliver_to_mtp_user
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7_hmrt.c:94
#6 0x7f1eb068bf00 in hmdt_message_for_distribution
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7_hmrt.c:133
#7 0x7f1eb068d345 in m3ua_hmdc_rx_from_l2
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7_hmrt.c:275
#8 0x7f1eb063c08f in m3ua_rx_xfer
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/m3ua.c:586
#9 0x7f1eb063cea6 in m3ua_rx_msg
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/m3ua.c:739
#10 0x7f1eb0687188 in xua_cli_read_cb
/home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7.c:1590
#11 0x7f1eaff77db4 in osmo_stream_cli_read
/home/pespin/dev/sysmocom/git/libosmo-netif/src/stream.c:192
#12 0x7f1eaff79091 in osmo_stream_cli_fd_cb
/home/pespin/dev/sysmocom/git/libosmo-netif/src/stream.c:276
#13 0x7f1eaf259795 in osmo_fd_disp_fds
/home/pespin/dev/sysmocom/git/libosmocore/src/select.c:217
#14 0x7f1eaf259abb in osmo_select_main
/home/pespin/dev/sysmocom/git/libosmocore/src/select.c:257
#15 0x55666c1bebd3 in main
/home/pespin/dev/sysmocom/git/osmo-msc/src/osmo-msc/msc_main.c:697
#16 0x7f1ead1c306a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
#17 0x55666c1bc649 in _start
(/home/pespin/dev/sysmocom/build/new/out/bin/osmo-msc+0x185649)
The code path is the following, starting from mpt_user_prim_cb:
mtp_user_prim_cb
osmo_sccp_to_xua
xua_msg_alloc
scrc_rx_mtp_xfer_ind_xua
sccp_scoc_rx_from_scrc
scrc_node_6
scrc_node_4
scrc_translate_node_9
So the xua_msg is created in mtp_user_prim_cb through osmo_sccp_to_xua
and then handed over to scrc_rx_mtp_xfer_ind_xua which transfers the
xua_msg and thus should take ownserhip of it, and consecuently freeing
it once it's done using it.
Change-Id: I43e159c82b64bd85b185f77ee19b6455a96e082f
---
M src/sccp_scrc.c
1 file changed, 12 insertions(+), 4 deletions(-)
Approvals:
Jenkins Builder: Verified
Harald Welte: Looks good to me, approved
diff --git a/src/sccp_scrc.c b/src/sccp_scrc.c
index cd01774..9005dc7 100644
--- a/src/sccp_scrc.c
+++ b/src/sccp_scrc.c
@@ -438,13 +438,14 @@
}
/* Figure C.1/Q.714 Sheet 1 of 12, after we converted the
- * MTP-TRANSFER.ind to SUA */
+ * MTP-TRANSFER.ind to SUA. Takes ownership of \a xua and frees it once
processed. */
int scrc_rx_mtp_xfer_ind_xua(struct osmo_sccp_instance *inst,
struct xua_msg *xua)
{
struct osmo_sccp_addr called;
uint32_t proto_class;
struct xua_msg_part *hop_ctr_part;
+ int rc;
LOGP(DLSS7, LOGL_DEBUG, "%s: %s\n", __func__, xua_msg_dump(xua,
&xua_dialect_sua));
/* TODO: SCCP or nodal congestion? */
@@ -454,6 +455,7 @@
/* Node 1 (Sheet 3) */
/* deliver to SCOC */
sccp_scoc_rx_from_scrc(inst, xua);
+ xua_msg_free(xua);
return 0;
}
/* We only treat connectionless and CR below */
@@ -463,7 +465,9 @@
/* Route on GT? */
if (called.ri != OSMO_SCCP_RI_GT) {
/* Node 6 (Sheet 3) */
- return scrc_node_6(inst, xua, &called);
+ rc = scrc_node_6(inst, xua, &called);
+ xua_msg_free(xua);
+ return rc;
}
/* Message with hop-counter? */
hop_ctr_part = xua_msg_find_tag(xua, SUA_IEI_S7_HOP_CTR);
@@ -472,7 +476,9 @@
if (hop_counter <= 1) {
/* Error: hop-counter violation */
/* node 4 */
- return scrc_node_4(inst, xua,
SCCP_RETURN_CAUSE_HOP_COUNTER_VIOLATION);
+ rc = scrc_node_4(inst, xua,
SCCP_RETURN_CAUSE_HOP_COUNTER_VIOLATION);
+ xua_msg_free(xua);
+ return rc;
}
/* Decrement hop-counter */
hop_counter--;
@@ -492,5 +498,7 @@
default:
break;
}
- return scrc_translate_node_9(inst, xua, &called);
+ rc = scrc_translate_node_9(inst, xua, &called);
+ xua_msg_free(xua);
+ return rc;
}
--
To view, visit https://gerrit.osmocom.org/10443
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I43e159c82b64bd85b185f77ee19b6455a96e082f
Gerrit-Change-Number: 10443
Gerrit-PatchSet: 2
Gerrit-Owner: Pau Espin Pedrol <pes...@sysmocom.de>
Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Pau Espin Pedrol <pes...@sysmocom.de>
